[Samba] Domain Authentication Problem

[Bradish, Jeff]

I have been running Samba 2.2.8 on a Solaris 8 server with a valid
NetBIOS server name on the AD domain. The Samba 2.2.8 configuration was
configured for security = domain. Everything was fine until the AD
domain controllers were "upgraded" to Windows Server 2003 SP1. User
authentication would no longer function with the following error message
in the samba 2.2.8 log:

connect_to_domain_password_server: unable to open the domain client
session to machine <name>. Error was : NT_STATUS_ACCESS_DENIED.

I was able to point the password server entry to another controller that
has not been upgraded to Server 2003 SP1 and all is fine. Authentication
is processed and granted as expected. Problem is that these controllers
are scheduled to be upgraded to 2003 SP1 in the next few weeks.

So decided to upgrade Samba to 3.0.21c. Downloaded the pre-compiled
version for Solaris 9 and installed with no problems. I copied the
smb.conf and smbpasswd files from 2.2.8 to 3.0.21c. I did not copy the
secrets.tdb file over, although I did validate the SIDs for each Samba
version.

At this point, I cannot get Samba 3.0.21c to be recognized by either
Windows Server 2003 or Windows Server 2003 SP1. I have tried rejoining
the domain with no success. I have verified the SIDs for both Samba
2.2.8 and 3.0.21c.

Some of the 3.0.21c log errors I am seeing are:
cli_nt_create failed on pipe \NETLOGON to machine <name>.  Error was
NT_STATUS_ACCESS_DENIED
failed to get schannel session key from server <name> for domain
<domainname>.
domain_client_validate: Domain password server not available
check_ntlm_password:  Authentication for user [id] -> [id] FAILED with
error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

If anyone has seen this problem I would greatly appreciate any feedback
on possible work-around or fixes. At this point, I can not get domain
security to work for either Samba version when pointed to a Windows
Server 2003 SP1 AD controller.

Thanks

Jeff Bradish
* mailto: jeff.bradish at eds.com